“Duqu” Trojan Threat Info Request Addressed

In response to increased reader’s comments and requests for updates regarding the Duqu Trojan threat, our staff has organized a series of links to articles addressing the Duqu threat for our readership.

To attempt to put the threat from the Duqu virus in proper perspective, our staff also agrees with Bulent Teksoz, Chief Security Strategist for Emerging Markets with Symantec, when he states that, “…. while Duqu does not directly target industrial control systems; its discovery has reignited fears about cyber-attacks targeted at power plants, water treatment facilities, and chemical plants. Considering the history of Stuxnet, the potential of the same attackers, and currently known targets, we urge industrial control system manufacturers and any other organizations that provide solutions to industrial facilities to audit their network for Duqu.”

As our information security professionals wrestle with this new malicious program, it is natural to wonder what this next chapter in large-scale high profile attacks could mean. In other words, be prepared — even if you’re not running a control system, Duqu and Stuxnet illustrate that a determined attacker can find a way into almost any network.

To add some additional perspective(s) around this particular Trojan threat, the staff writers at the Emirates 24/7 website recently offered the following summarized 10-Step-Guide to help understand what the Duqu is and what it might mean as a potential threat to you or your business:

Parts of Duqu are nearly identical to the Stuxnet worm, but its sole purpose is to gather intelligence that could be used to give attackers the insight they need to mount future attacks.

Stuxnet, which infected tens of thousands of computers last year, created a worldwide sensation when Symantec revealed that it was designed to sabotage hardware used in uranium-enrichment at an Iranian nuclear site.

So far, Duqu infections have been confirmed in at least six organizations in eight countries (France, the Netherlands, Switzerland, the Ukraine, India, Iran, Sudan, and Vietnam).

It is primarily a remote access Trojan that does not self-replicate in order to spread itself, which means it is not a worm.

Duqu uses HTTP and HTTPS to communicate with two known command-and-control (C&C) servers that are both now inactive. Attackers were able to download additional executables through these servers, including an ‘infostealer’ that can gather system information. The information is logged to a lightly encrypted and compressed local file, which is then exported.

Duqu is configured to run for 30 or 36 days, at which point it will automatically remove itself from a system.

Duqu is not widespread, but it is highly targeted at suppliers to industrial facilities.

Symantec researchers noted that the industrial sector is not Duqu’s sole target, adding that they have identified one or more targets outside the industrial industry who provide assets that would aid a future attack.

Attacks using Duqu and its variants may have been going on since last December based on a review of file-compilation times, according to Symantec, and

Duqu was recovered from a limited group of organizations based in Europe and first analyzed by the Laboratory of Cryptography and System Security in Budapest.

For additional reading on this topic and to bring additional resource content to your organization’s risk management, information security and cybersecurity team members, our staff offers the following articles: